Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

New Mirai Variant Targets Routers, Knocks 900,000 Offline

Attackers are targeting DSL routers this week with what’s being called a potent new variant of the Mirai malware that knocked offline major Internet companies like Twitter and Spotify last month.

Attackers are targeting DSL routers this week with what’s being called a potent new variant of the Mirai malware that knocked offline major Internet companies like Twitter and Spotify last month.

According to Germany’s Deutsche Telekom 900,000 of its DSL router customers have already been targeted by attackers. According to the telecommunications company impacted customers are unable to connect to the Internet; phone and video services that rely on infected modems are inoperable as well.

Security experts say Deutsche Telekom will have patched most of the vulnerable routers by Tuesday, but warn millions of other DSL modems could also be vulnerable to this type of attack.

Attacks take advantage of a flawed implementation of router maintenance features implemented by two Taiwanese router manufacturers Arcadyan Technology and Zyxel, according Johannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center. Attackers are able to access TCP NTP Port 7547 to execute remote code in affected routers, Ullrich claims.

“For the last couple days, attack against port 7547 have increased substantially,” said Ullrich, adding that a successful attack would allow an adversary to do whatever they want with the router. “They could capture your traffic, they could use your router to launch an attack from or they can be used as part of a DDoS attack,” he said.

A scan of devices by the Shodan search engine reveals about 41 million routers that leave port 7547 open. Ullrich estimates that only 2 million routers could be vulnerable to attack however.

According to security experts, attackers are exploiting a common vulnerability in the TR-069 configuration protocol.

Stefan Ortloff, a researcher with Kaspersky Lab’s Global Research and Analysis Team, explained the vulnerability in a Securelist post on Monday.

“A vulnerability in affected routers causes the device to download the binary with file name ‘1’ from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (‘NXDOMAIN’).”

Previously Mirai used approximately 60 default passwords to break into DVRs, webcams and other IoT devices. Now what Mirai attackers have done is added a new vulnerability. Ullrich claims attackers “took the Mirai code and added that new exploit to it so now in addition to being able to scan for weak passwords, Mirai is also able to scan for routers that have this remote code execution vulnerability (TR-069).”

The TR-069 (Technical Report 069) refers to the DSL Working Group’s specification used by ISPs to remote administer modems. “The standard was never intended to support remote code execution. But that’s exactly what attackers are doing,” Ullrich said.

Infected routers also exhibit Mirai-like behavior such as deleting itself from filesystems (residing only in memory), resolving to command and control servers (using the DNS 8.8.8.8) and scanning the Internet for open TCP 7547 Ports in order to infect other devices, according to Ortloff.

Telecom provider German Telekom has pushed out a fix to impacted routers. It also recommends, since the infection resides in the router’s memory, power cycling devices to remove the malware.

Potentially impacted equipment made by Arcadyan Technology and Zyxel, neither who responded to requests for comment for this story, include Speedport Routers and Zyxel Modems. Ullrich said customers in the UK and Ireland have also reported similar open-port type attacks.

“It’s impossible to know the extent of this problem or if attacks will increase. The good news is fixing this problem is relatively simple,” he said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.